Generating a 1024 bit RSA private key
...........++++++
...........++++++
writing new private key to '/etc/apache2/ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

As indicated, you will be asked a series of questions:

Country

Country Name (2 letter code) [AU]:

In my case, I entered 'US' for United States.

State

State or Province Name (full name) [Some-State]:

You can leave this blank but for demonstration purposes I entered 'Texas'.

City

Locality Name (eg, city) []:

Again, leave blank if you wish. I entered 'San Antonio'.

Organization

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Here I entered 'Company, LLC'.

Unit

Organizational Unit Name (eg, section) []:

I entered 'Web Development'

Name

Common Name (eg, YOUR name) []:

Enter your domain address here - so you might enter something like admin.domain.com. Only use your URL's or IP address. I used admin.domain.com as an example.

Email

Email Address []:

If you want your email address displayed on the certificate, then enter it here. If you are going to use a self-signed certificate for public facing sites then I would recommend entering a valid address as it gives them a person to contact.

Anyway, I entered 'webadmin@domain.com'.

You will be placed back at the command prompt and the certificate has been placed, as directed, in /etc/apache2/ssl/apache.pem.

mod_ssl

So now we have the certificate we need to enable Apache mod_ssl:

sudo a2enmod ssl

Virtual Hosts

Now we get to configuring the virtual hosts to enable secure connections.

Remember that you can only have one certificate per IP address which means that if you enable SSL connections to more than one virtual host they will share the same certificate.

If you have multiple IPs for your Cloud Server (yes, they are coming!) then you would configure the virtual hosts based on IP address and not necessarily based on named hosts (more on this when multiple IPs are available).

Let's start by enabling port 443 on the default vhost:

sudo nano /etc/apache2/sites-available/default

At the very top of the file you will see this:

NameVirtualHost *
<VirtualHost *>
...

Change these settings to listen to the default http port (80):

NameVirtualHost *:80
<VirtualHost *:80>
...

Now we need to add support for port 443.

Add 'NameVirtualHost *:443' so it looks like this:

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
...

So now the default virtual host is listening to both port 80 and port 443. However, we've only got settings for port 80: It won't know what to do with any connections to port 443.

Let's rectify that by copying the <VirtualHost *:80> settings:

<VirtualHost *:80>
...
...
</VirtualHost>

...and paste them at the bottom of the file with the port changed to *:443 as follows:

<VirtualHost *:443>
...
...
</VirtualHost>

One final tweak to the pasted settings is the addition of these two lines:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

Reload

At this point, reload Apache for the new settings to take effect:

sudo /etc/init.d/apache2 force-reload

Warnings

Now when you browse to your IP address or whichever virtual host you setup to use SSL, you will see warnings similar to these:

Clicking 'OK' will take you to a second warning:

If you accept the certificate, you will then proceed to the site. However, as you can tell, a visitor receiving these warnings on a supposedly secure area of a public website will not be too impressed. They are, however, fine for personal use and for an administration area.

Other virtual hosts

Remember how we changed <VirtualHost *> to <VirtualHost *:80> in the default virtual hosts file? Well, we need to do the same for any other virtual hosts files.

Then, to add SSL support to any other virtual hosts simply repeat the procedure and have two configurations in each file. One for port 80 and one for port 443 - keep in mind that any configured virtual hosts will share the same certificate.

You don't need the NameVirtualHost settings in each file though. They only need to be in the default file.

Summary

Once you get used to the process, adding self-signed certificates and configuring virtual host support for SSL connections is relatively straight forward.